Fake Windows security center

View previous topic View next topic Go down

Fake Windows security center

Post by aquafinanina on 31st January 2010, 10:28 am

Hi,
My computer has been infected with some sort of virus. It pops up with a message every once in a while saying "danger there are some serious security threats detected on your computer..." and also some other pop ups saying that I need to enable protection of my windows firewall. My symptoms are exactly as described in this old post: [You must be registered and logged in to see this link.] . I tried to install malwarebytes anti-malware, but it would not run. Even when I followed the previous post's instructions and installed it in its own folder, named exactly the same, it would not run. Your help would be greatly appreciated! Here's my HiJack This log.....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:18 AM, on 1/31/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\AQUAFI~1\LOCALS~1\Temp\extrac64_cab.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\AQUAFI~1\LOCALS~1\Temp\winhlp64.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\aquafinanina\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE"
O4 - HKLM\..\Run: [AzMixerSel] "C:\Program Files\Realtek\InstallShield\AzMixerSel.exe"
O4 - HKLM\..\Run: [VAIO Recovery] "C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe"
O4 - HKLM\..\Run: [SonyPowerCfg] "C:\Program Files\Sony\VAIO Power Management\SPMgr.exe"
O4 - HKLM\..\Run: [ISBMgr.exe] "C:\Program Files\Sony\ISB Utility\ISBMgr.exe"
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [Logitech Utility] "C:\WINDOWS\Logi_MwX.Exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [extrac64_cab.exe] C:\DOCUME~1\AQUAFI~1\LOCALS~1\Temp\extrac64_cab.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &AOL Toolbar search - [You must be registered and logged in to see this link.] Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - [You must be registered and logged in to see this link.]
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: karna.dat
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 10682 bytes

aquafinanina
Novice
Novice

Posts Posts : 12
Joined Joined : 2010-01-31
OS OS : windows xp
Points Points : 25208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows security center

Post by Belahzur on 31st January 2010, 8:10 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU\..\Run: [extrac64_cab.exe] C:\DOCUME~1\AQUAFI~1\LOCALS~1\Temp\extrac64_cab.exe
    O20 - AppInit_DLLs: karna.dat



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows security center

Post by aquafinanina on 31st January 2010, 10:33 pm

I was able to "fix checked" in hijack this, but am still not able to run malwarebytes. When I double click to open it, it asks if I want to run this file, so I click "run", then it goes away but nothing happens.

aquafinanina
Novice
Novice

Posts Posts : 12
Joined Joined : 2010-01-31
OS OS : windows xp
Points Points : 25208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows security center

Post by Belahzur on 1st February 2010, 12:30 am

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows security center

Post by aquafinanina on 2nd February 2010, 5:44 am

I am seeing a "page load error" and address not found screen...

aquafinanina
Novice
Novice

Posts Posts : 12
Joined Joined : 2010-01-31
OS OS : windows xp
Points Points : 25208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows security center

Post by Belahzur on 2nd February 2010, 8:07 pm

Please download Ice Sword from [You must be registered and logged in to see this link.]

  1. Download the zip to your desktop and extract it.
  2. Open the Ice Sword folder and then launch IceSword.exe.
  3. Will IceSword open?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows security center

Post by aquafinanina on 2nd February 2010, 10:27 pm

I am able to run IceSword. It says "IoCompleteRequest was hooked (=>82b8d97b), restore now." I click OK on that box, and it is running.

Also, as an update on the virus, I have stopped getting messages from the taskbar. There were 2 red shield looking images on there with Xs, and one would have messages popping up saying "Danger! There are some serious security threats detected on your computer...." but I have stopped receiving those in the past day.


Last edited by aquafinanina on 2nd February 2010, 10:29 pm; edited 1 time in total (Reason for editing : additional info)

aquafinanina
Novice
Novice

Posts Posts : 12
Joined Joined : 2010-01-31
OS OS : windows xp
Points Points : 25208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows security center

Post by Belahzur on 3rd February 2010, 12:49 am

Hello.


  • Now, on the left hand side tool, hit the Process button at the top of the list.
  • Just above the list, there is a log button, press that and save the log to your Desktop.
  • Post that log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows security center

Post by aquafinanina on 3rd February 2010, 9:24 am

Process:

System Idle Process
System
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\smss.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\aquafinanina\Desktop\IceSword122en\IceSword122en\IceSword.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxsrvc.exe

aquafinanina
Novice
Novice

Posts Posts : 12
Joined Joined : 2010-01-31
OS OS : windows xp
Points Points : 25208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows security center

Post by Belahzur on 3rd February 2010, 8:02 pm

Hello.


  • On the left hand side tool, hit the Startup button at the top of the list.
  • Just above the list, there is a log button, press that and save the log to your Desktop.
  • Post that log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows security center

Post by aquafinanina on 3rd February 2010, 10:12 pm

When I click the startup button, it says I am missing a shortcut called vpngui.exe. I click cancel, and here is the log...



Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
igfxtray
"C:\WINDOWS\system32\igfxtray.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
igfxhkcmd
"C:\WINDOWS\system32\hkcmd.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
igfxpers
"C:\WINDOWS\system32\igfxpers.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Apoint
"C:\Program Files\Apoint\Apoint.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RTHDCPL
"C:\WINDOWS\RTHDCPL.EXE"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AzMixerSel
"C:\Program Files\Realtek\InstallShield\AzMixerSel.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VAIO Recovery
"C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SonyPowerCfg
"C:\Program Files\Sony\VAIO Power Management\SPMgr.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ISBMgr.exe
"C:\Program Files\Sony\ISB Utility\ISBMgr.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VAIO Update 2
"C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ISUSPM Startup
"C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" -startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ISUSScheduler
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NeroFilterCheck
"C:\WINDOWS\system32\NeroCheck.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Logitech Utility
"C:\WINDOWS\Logi_MwX.Exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IntelliPoint
"C:\Program Files\Microsoft IntelliPoint\point32.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iTunesHelper
"C:\Program Files\iTunes\iTunesHelper.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched
"C:\Program Files\Common Files\Java\Java Update\jusched.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
MsnMsgr
"C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Remark£º)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Cisco Systems VPN Client.lnk
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe (Remark£º)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\aquafinanina\Start Menu\Programs\Startup
desktop.ini

aquafinanina
Novice
Novice

Posts Posts : 12
Joined Joined : 2010-01-31
OS OS : windows xp
Points Points : 25208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows security center

Post by Belahzur on 4th February 2010, 12:44 am

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows security center

Post by aquafinanina on 5th February 2010, 7:24 am

ComboFix 10-02-04.03 - aquafinanina 02/04/2010 15:38:27.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.292 [GMT -8:00]
Running from: c:\documents and settings\aquafinanina\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\_VOIDmainqt.dll
c:\program files\Malware Defense
c:\windows\DRIVERS\beep.sys
c:\windows\system32\_VOIDckhqnsngdl.dll
c:\windows\system32\_VOIDfpuxsnppul.dll
c:\windows\system32\_VOIDmywiwfstin.dll
c:\windows\system32\_VOIDrkjkohbroc.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.

2010-01-31 22:22 . 2010-01-31 22:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-31 10:16 . 2010-02-03 22:11 1048 ----a-w- c:\windows\system32\_VOIDshsyst.dll
2010-01-31 10:07 . 2010-01-31 22:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-31 09:33 . 2010-01-31 10:03 248 ----a-w- c:\windows\system32\_VOIDoerfysuwgr.dat
2010-01-31 09:33 . 2010-01-31 09:33 39936 ----a-w- c:\windows\system32\drivers\_VOIDokvwvouhwu.sys
2010-01-06 21:29 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 23:25 . 2006-07-19 05:14 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-01-31 09:34 . 2010-01-31 09:34 1516 ----a-w- c:\documents and settings\All Users\Application Data\_VOIDkrl32mainweq.dll
2010-01-31 09:34 . 2010-01-31 09:34 1516 ----a-w- c:\documents and settings\All Users\Application Data\_VOIDkrl32mainweq.dll
2010-01-27 08:04 . 2007-06-29 08:12 -------- d-----w- c:\program files\Common Files\Java
2010-01-27 08:04 . 2010-01-27 08:04 503808 ----a-w- c:\documents and settings\aquafinanina\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-48cba1c7-n\msvcp71.dll
2010-01-27 08:04 . 2010-01-27 08:04 348160 ----a-w- c:\documents and settings\aquafinanina\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-48cba1c7-n\msvcr71.dll
2010-01-27 08:04 . 2010-01-27 08:04 499712 ----a-w- c:\documents and settings\aquafinanina\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-48cba1c7-n\jmc.dll
2010-01-27 08:04 . 2010-01-27 08:04 61440 ----a-w- c:\documents and settings\aquafinanina\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2aa748e4-n\decora-sse.dll
2010-01-27 08:04 . 2010-01-27 08:04 12800 ----a-w- c:\documents and settings\aquafinanina\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2aa748e4-n\decora-d3d.dll
2010-01-27 08:04 . 2005-08-26 17:35 -------- d-----w- c:\program files\Java
2010-01-23 02:47 . 2007-02-07 09:24 -------- d-----w- c:\documents and settings\aquafinanina\Application Data\uTorrent
2009-12-21 19:14 . 2005-08-25 19:49 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 01:14 . 2008-11-23 21:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-21 15:51 . 2005-08-25 19:49 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-14 02:19 . 2009-09-19 18:23 143976 ----a-w- c:\documents and settings\aquafinanina\Application Data\Move Networks\uninstall.exe
2009-11-14 02:19 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\aquafinanina\Application Data\Move Networks\plugins\npqmp071701000002.dll
2009-11-14 02:19 . 2009-11-14 02:19 1794456 ----a-w- c:\documents and settings\aquafinanina\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"= "c:\windows\system32\ieframe.dll" [2009-12-21 11070464]

[HKEY_CLASSES_ROOT\clsid\{cfbfae00-17a6-11d0-99cb-00c04fd64497}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"= "c:\windows\system32\browseui.dll" [2008-04-14 1025024]
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}"= "c:\windows\system32\SHELL32.dll" [2008-06-17 8461312]

[HKEY_CLASSES_ROOT\clsid\{01e04581-4eee-11d0-bfe9-00aa005b4383}]

[HKEY_CLASSES_ROOT\clsid\{0e5cbf21-d15f-11d0-8301-00aa005b4383}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-05 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-05 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-05 114688]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"RTHDCPL"="c:\windows\RTHDCPL.EXE" [2005-08-09 14743552]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-12 53248]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-05-15 184320]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Logitech Utility"="c:\windows\Logi_MwX.Exe" [2003-12-17 19968]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-30 180269]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 00:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Sony\\VAIO Media 4.0\\Vc.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
FF - ProfilePath - c:\documents and settings\aquafinanina\Application Data\Mozilla\Firefox\Profiles\lvrelajs.default\
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\aquafinanina\Application Data\Mozilla\Firefox\Profiles\lvrelajs.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\aquafinanina\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\aquafinanina\Application Data\Move Networks\plugins\npqmp071701000002.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{2318C2B1-4965-11D4-9B18-009027A5CD4F} - (no file)
WebBrowser-{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - (no file)
WebBrowser-{4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
AddRemove-CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_104D0600 - c:\program files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_104D0600\HXFSETUP.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-04 15:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\_VOIDd.sys]
"imagepath"="\systemroot\system32\drivers\_VOIDokvwvouhwu.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2010-02-04 16:02:29
ComboFix-quarantined-files.txt 2010-02-05 00:02

Pre-Run: 7,192,621,056 bytes free
Post-Run: 7,567,421,440 bytes free

- - End Of File - - 303AD86BF2047C55A18EE83DA588392D

aquafinanina
Novice
Novice

Posts Posts : 12
Joined Joined : 2010-01-31
OS OS : windows xp
Points Points : 25208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows security center

Post by Belahzur on 5th February 2010, 4:44 pm

Hello.
Ooh goody, you have a new version of a well known rootkit.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    KILLALL::

    File::
    c:\windows\system32\_VOIDshsyst.dll
    c:\windows\system32\_VOIDoerfysuwgr.dat
    c:\windows\system32\drivers\_VOIDokvwvouhwu.sys
    c:\documents and settings\All Users\Application Data\_VOIDkrl32mainweq.dll
    c:\documents and settings\All Users\Application Data\_VOIDkrl32mainweq.dll

    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\_VOIDd.sys]

    Driver::
    _VOIDd.sys
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows security center

Post by aquafinanina on 5th February 2010, 6:03 pm

ComboFix 10-02-04.03 - aquafinanina 02/05/2010 9:39.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.204 [GMT -8:00]
Running from: c:\documents and settings\aquafinanina\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\aquafinanina\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\All Users\Application Data\_VOIDkrl32mainweq.dll"
"c:\windows\system32\_VOIDoerfysuwgr.dat"
"c:\windows\system32\_VOIDshsyst.dll"
"c:\windows\system32\drivers\_VOIDokvwvouhwu.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\_VOIDkrl32mainweq.dll
c:\windows\system32\_VOIDoerfysuwgr.dat
c:\windows\system32\_VOIDshsyst.dll
c:\windows\system32\drivers\_VOIDokvwvouhwu.sys

.
((((((((((((((((((((((((( Files Created from 2010-01-05 to 2010-02-05 )))))))))))))))))))))))))))))))
.

2010-02-04 23:36 . 2010-02-05 00:02 -------- d-----w- C:\Combo-Fix
2010-01-31 22:22 . 2010-01-31 22:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-31 10:07 . 2010-01-31 22:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-06 21:29 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 23:25 . 2006-07-19 05:14 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-01-27 08:04 . 2007-06-29 08:12 -------- d-----w- c:\program files\Common Files\Java
2010-01-27 08:04 . 2010-01-27 08:04 503808 ----a-w- c:\documents and settings\aquafinanina\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-48cba1c7-n\msvcp71.dll
2010-01-27 08:04 . 2010-01-27 08:04 348160 ----a-w- c:\documents and settings\aquafinanina\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-48cba1c7-n\msvcr71.dll
2010-01-27 08:04 . 2010-01-27 08:04 499712 ----a-w- c:\documents and settings\aquafinanina\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-48cba1c7-n\jmc.dll
2010-01-27 08:04 . 2010-01-27 08:04 61440 ----a-w- c:\documents and settings\aquafinanina\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2aa748e4-n\decora-sse.dll
2010-01-27 08:04 . 2010-01-27 08:04 12800 ----a-w- c:\documents and settings\aquafinanina\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2aa748e4-n\decora-d3d.dll
2010-01-27 08:04 . 2005-08-26 17:35 -------- d-----w- c:\program files\Java
2010-01-23 02:47 . 2007-02-07 09:24 -------- d-----w- c:\documents and settings\aquafinanina\Application Data\uTorrent
2009-12-21 19:14 . 2005-08-25 19:49 916480 ------w- c:\windows\system32\wininet.dll
2009-12-18 01:14 . 2008-11-23 21:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-21 15:51 . 2005-08-25 19:49 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-14 02:19 . 2009-09-19 18:23 143976 ----a-w- c:\documents and settings\aquafinanina\Application Data\Move Networks\uninstall.exe
2009-11-14 02:19 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\aquafinanina\Application Data\Move Networks\plugins\npqmp071701000002.dll
2009-11-14 02:19 . 2009-11-14 02:19 1794456 ----a-w- c:\documents and settings\aquafinanina\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"= "c:\windows\system32\ieframe.dll" [2009-12-21 11070464]

[HKEY_CLASSES_ROOT\clsid\{cfbfae00-17a6-11d0-99cb-00c04fd64497}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"= "c:\windows\system32\browseui.dll" [2008-04-14 1025024]
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}"= "c:\windows\system32\SHELL32.dll" [2008-06-17 8461312]

[HKEY_CLASSES_ROOT\clsid\{01e04581-4eee-11d0-bfe9-00aa005b4383}]

[HKEY_CLASSES_ROOT\clsid\{0e5cbf21-d15f-11d0-8301-00aa005b4383}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-05 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-05 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-05 114688]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"RTHDCPL"="c:\windows\RTHDCPL.EXE" [2005-08-09 14743552]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-12 53248]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-05-15 184320]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Logitech Utility"="c:\windows\Logi_MwX.Exe" [2003-12-17 19968]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-30 180269]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 00:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Sony\\VAIO Media 4.0\\Vc.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
FF - ProfilePath - c:\documents and settings\aquafinanina\Application Data\Mozilla\Firefox\Profiles\lvrelajs.default\
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\aquafinanina\Application Data\Mozilla\Firefox\Profiles\lvrelajs.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\aquafinanina\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\aquafinanina\Application Data\Move Networks\plugins\npqmp071701000002.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-05 09:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\_VOIDd.sys]
"imagepath"="\systemroot\system32\drivers\_VOIDjjgcistils.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\_VOIDd.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\_VOIDjjgcistils.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(2264)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\BlueSoleil\BTNtService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-05 10:01:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-05 18:01
ComboFix2.txt 2010-02-05 00:02

Pre-Run: 7,575,744,512 bytes free
Post-Run: 7,542,902,784 bytes free

- - End Of File - - 05750EE9FC83D5C22C5B2C17F5F7B8DE

aquafinanina
Novice
Novice

Posts Posts : 12
Joined Joined : 2010-01-31
OS OS : windows xp
Points Points : 25208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows security center

Post by Belahzur on 5th February 2010, 6:13 pm

Hmm, that thing doesn't wanna leave without a fight.

I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world. That's why I want you to install one first!!

You aren't running Anti Virus Software

Please install Avira antivirus otherwise you won't be protected.

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

It really makes no sense otherwise that we clean this up manually if an antivirus is not present which should be able to deal with most and prevent further reinfection.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.]

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Registry keys to delete:
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\_VOIDd.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows security center

Post by aquafinanina on 5th February 2010, 7:45 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\_VOIDd.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

aquafinanina
Novice
Novice

Posts Posts : 12
Joined Joined : 2010-01-31
OS OS : windows xp
Points Points : 25208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows security center

Post by Belahzur on 5th February 2010, 7:51 pm

Goodbye malicious registry key. Roger that Okay, lets try MBAM now.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows security center

Post by aquafinanina on 6th February 2010, 9:12 pm

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/6/2010 1:10:14 PM
mbam-log-2010-02-06 (13-10-14).txt

Scan type: Quick Scan
Objects scanned: 116761
Time elapsed: 11 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Looks great! It appears the problems have been solved and I am now rootkit free. Thank you!!!

aquafinanina
Novice
Novice

Posts Posts : 12
Joined Joined : 2010-01-31
OS OS : windows xp
Points Points : 25208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows security center

Post by Belahzur on 7th February 2010, 1:00 am

Yep, this looks good now.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Uncheck (untick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows security center

Post by aquafinanina on 7th February 2010, 9:48 pm

I get to the step where I click on start, but after that, it waits a while, and never loads. In the bottom left corner of IE it says waiting for the url, then it loads the status bar the whole way, then says done. Eventually IE just closes itself down.

aquafinanina
Novice
Novice

Posts Posts : 12
Joined Joined : 2010-01-31
OS OS : windows xp
Points Points : 25208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows security center

Post by Belahzur on 7th February 2010, 11:44 pm

Please use the Internet Explorer browser, and do an online scan with [You must be registered and logged in to see this link.]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

    **Note**

    To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows security center

Post by aquafinanina on 9th February 2010, 9:30 am

It says that the online scanner is unavailable, am I to download a trial of their Internet Security or Anti-Virus programs?

aquafinanina
Novice
Novice

Posts Posts : 12
Joined Joined : 2010-01-31
OS OS : windows xp
Points Points : 25208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows security center

Post by lechi.man02 on 9th February 2010, 6:45 pm

Moderated Message: Hello, your comment has been removed. Please do not post in another member's topic. If you need help, please read [You must be registered and logged in to see this link.] over and [You must be registered and logged in to see this link.] to open a new topic.

lechi.man02
Beginner
Beginner

Posts Posts : 1
Joined Joined : 2010-02-03
OS OS : Windows Xp
Points Points : 25040
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum